shopdb/updatesubnet_direct.asp

<%
'=============================================================================
' FILE: updatesubnet_direct.asp
' PURPOSE: Update existing subnet with IP address calculations
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<html>
<head>
<link rel="stylesheet" href="./style.css" type="text/css">
<!--#include file="./includes/sql.asp"-->
</head>

<body>
<div class="page">
<%
	' Get form inputs
	Dim subnetid, vlan, ipstart, cidr, description, subnettypeid, cidrarray, ipend

	subnetid = Trim(Request.Querystring("subnetid"))
	vlan = Trim(Request.Form("vlan"))
	ipstart = Trim(Request.Form("ipstart"))
	cidr = Trim(Request.Form("cidr"))
	description = Trim(Request.Form("description"))
	subnettypeid = Trim(Request.Form("subnettypeid"))

	' Validate required ID fields
	If Not IsNumeric(subnetid) Or CLng(subnetid) < 1 Then
		Response.Write("Invalid subnet ID")
		objConn.Close
		Response.End
	End If

	' Verify the subnet exists using parameterized query
	Dim checkSQL, rsCheck, cmdCheck
	checkSQL = "SELECT COUNT(*) as cnt FROM subnets WHERE subnetid = ?"
	Set cmdCheck = Server.CreateObject("ADODB.Command")
	cmdCheck.ActiveConnection = objConn
	cmdCheck.CommandText = checkSQL
	cmdCheck.CommandType = 1
	cmdCheck.Parameters.Append cmdCheck.CreateParameter("@subnetid", 3, 1, , CLng(subnetid))
	Set rsCheck = cmdCheck.Execute

	Dim subnetExists
	subnetExists = False
	If Not rsCheck.EOF Then
		If Not IsNull(rsCheck("cnt")) Then
			If CLng(rsCheck("cnt")) > 0 Then
				subnetExists = True
			End If
		End If
	End If
	rsCheck.Close
	Set rsCheck = Nothing
	Set cmdCheck = Nothing

	If Not subnetExists Then
		Response.Redirect("displaysubnets.asp")
		objConn.Close
		Response.End
	End If

	' Validate required fields
	If vlan = "" Or ipstart = "" Or cidr = "" Or subnettypeid = "" Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=REQUIRED_FIELD")
		objConn.Close
		Response.End
	End If

	' Validate VLAN is numeric
	If Not IsNumeric(vlan) Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	' Basic IP address validation
	If Len(ipstart) < 7 Or Len(ipstart) > 15 Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_IP")
		objConn.Close
		Response.End
	End If

	' Validate subnet type ID
	If Not IsNumeric(subnettypeid) Or CLng(subnettypeid) < 1 Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_ID")
		objConn.Close
		Response.End
	End If

	' Parse CIDR value (expected format: "cidr,ipend")
	If InStr(cidr, ",") = 0 Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	cidrarray = Split(cidr, ",")
	If UBound(cidrarray) < 1 Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	ipend = Trim(cidrarray(1))
	cidr = Trim(cidrarray(0))

	' Remove leading slash if present (CIDR comes as "/24" format)
	If Left(cidr, 1) = "/" Then
		cidr = Mid(cidr, 2)
	End If

	' Validate CIDR is numeric (0-32)
	If Not IsNumeric(cidr) Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	If CInt(cidr) < 0 Or CInt(cidr) > 32 Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	' Validate ipend is numeric
	If Not IsNumeric(ipend) Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	' Validate description length
	If Len(description) > 500 Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	' Verify subnet type exists using parameterized query
	checkSQL = "SELECT COUNT(*) as cnt FROM subnettypes WHERE subnettypeid = ?"
	Set cmdCheck = Server.CreateObject("ADODB.Command")
	cmdCheck.ActiveConnection = objConn
	cmdCheck.CommandText = checkSQL
	cmdCheck.CommandType = 1
	cmdCheck.Parameters.Append cmdCheck.CreateParameter("@subnettypeid", 3, 1, , CLng(subnettypeid))
	Set rsCheck = cmdCheck.Execute

	Dim typeExists
	typeExists = False
	If Not rsCheck.EOF Then
		If Not IsNull(rsCheck("cnt")) Then
			If CLng(rsCheck("cnt")) > 0 Then
				typeExists = True
			End If
		End If
	End If
	rsCheck.Close
	Set rsCheck = Nothing
	Set cmdCheck = Nothing

	If Not typeExists Then
		Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=NOT_FOUND")
		objConn.Close
		Response.End
	End If

	' Update using parameterized query
	Dim strSQL, cmdUpdate
	strSQL = "UPDATE subnets SET vlan = ?, ipstart = INET_ATON(?), ipend = (INET_ATON(?) + ?), cidr = ?, subnettypeid = ?, description = ? WHERE subnetid = ?"
	Set cmdUpdate = Server.CreateObject("ADODB.Command")
	cmdUpdate.ActiveConnection = objConn
	cmdUpdate.CommandText = strSQL
	cmdUpdate.CommandType = 1
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@vlan", 3, 1, , CLng(vlan))
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@ipstart1", 200, 1, 15, ipstart)
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@ipstart2", 200, 1, 15, ipstart)
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@ipend", 3, 1, , CLng(ipend))
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@cidr", 200, 1, 2, cidr)
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@subnettypeid", 3, 1, , CLng(subnettypeid))
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@description", 200, 1, 500, description)
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@subnetid", 3, 1, , CLng(subnetid))

	On Error Resume Next
	cmdUpdate.Execute

	If Err.Number = 0 Then
		Set cmdUpdate = Nothing
		objConn.Close
		Response.Redirect("./displaysubnet.asp?subnetid=" & subnetid)
	Else
		Response.Write("Error: " & Server.HTMLEncode(Err.Description))
		Set cmdUpdate = Nothing
		objConn.Close
	End If
%>
</div>
</body>
</html>